'Understanding and Managing Risk Culture

IRM is leading the debate on risk culture. Drawing upon the wealth of practical experience and expert knowledge across the institute, we have developed guidance for organisations wanting a greater understanding of their own risk culture and practical tools that can be applied to drive change.

As seen in the business press every day, embedding risk management into an organisation to the extent that it reliably makes a difference is a difficult task. To achieve this, boards must keep how to manage risks high on their agenda, and to continue asking themselves, whether they have the right culture, people and processes.

What do we mean by risk culture?

Risk culture is a term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organisation. This applies to all organisations from private companies, public bodies, governments to not-for-profits.

What does a good risk culture look like?

An effective risk culture is one that enables and rewards individuals and groups for taking the right risks in an informed manner.

In today's increasingly global work environment, more employees than ever before are making material decisions on behalf of the organization, and these decisions don't always adequately account for risks to the enterprise.

This webinar will provide an overview of how to define your organisation’s level of ‘risk appetite’, helping you to determine the most relevant approach for drafting your organization’s risk appetite statements, assess stakeholders’ preferred risk-taking posture and write impactful risk appetite statements.

Every organisation has invested recently in their assurance functions – budgets in compliance have grown by 10%, InfoSec by 17%, and ERM by 22% - but significant failures and incidents continue to occur. In addition, operational management regularly complain of assurance fatigue and ExCo’s increasingly demand a holistic approach to risk management or a “single view of the truth”.

Ian Beale, executive advisor at CEB, has more than 20 years' experience in the field of audit and risk. He relishes variety and new intellectual challenges, which proves useful in his role advising companies on critical and emerging risk and audit issues. On a daily basis, Ian works with global companies to identify risk priorities and areas of focus in a world that is rapidly changing.

The continued growth in size and frequency of costly data breaches has increased the pressure on senior leadership and Boards of Directors to take a rigorous approach to understanding and managing cyber security risk. With this in mind, ERM teams are being asked to weigh in the organization’s response to these risks. Join this webinar to learn from CEB how your peers manage and report on cyber security risks and work with their Information Security counterparts to ensure that their organisations are prepared for the inevitable cyber-attack.

Suzanne Crouch, Director of Training at Sologic will deliver a 40 minute webinar on Root Cause Analysis combining level 1 and level 2: Senior Investigator. Suzanne will speak about the cause-effect relationship of events and the impact they have on your job role and your organisation. RCA identifies ways to stop negative events reoccurring, while examining successful events to help you replicate their positive characteristics.

RCA Level 2; Senior Investigator: creates understanding of the critical elements needed to lead an effective investigation, produce credible results, and the steps required to protect the credibility and integrity of the investigation team, the problem owner, and any impacted parties.

In this webinar we will review best practice risk reporting and how to design company-wide risk reporting that focuses on providing insight rather than data or information. These approaches provide enough detail to enable informed decision making at all levels without overburdening recipients with superfluous information.

This event is designed for Heads of ERM, ERM Directors, ERM Managers, and other direct reports of the Chief Risk Officer. It is designed to teach the basics and also best practices of conducting a successful risk assessment workshop plus tactics for impactful workshop facilitation. Participants will learn a number of tactical ERM practices that can be implemented immediately.

The Code of Governance now requires organisations to include viability statements in their Annual Report. This webinar is targeted at those individuals who have responsibility for or are contributing to the preparation of their companies Annual Report.

Insurance is the equitable transfer of the risk of a loss, from one entity to another in exchange for payment. It is a form of risk management primarily used to hedge against the risk of a contingent, uncertain loss. An insurer, or insurance carrier, is a company selling the insurance; the insured, or policyholder, is the person or entity buying the insurance policy. The amount of money to be charged for a certain amount of insurance coverage is called the premium. Risk management, the practice of appraising and controlling risk, has evolved as a discrete field of study and practice.

The focus of this programme is manifold and address the following issues: fostering the use of the tools of risk assessment and risk management in new fields of application such as policy making; providing a platform between the insurance community, the engineering and academic communities and policy makers to discuss risk issues; promoting the concept of the insurability of risks as the natural borderline between State legislation and the market economy; identifying new opportunities for insurers in the emerging sustainability concept in order to enlarge the field of insurable risks

Reputational risk, often called reputation risk, is a risk of loss resulting from damages to a firm's reputation, in lost revenue; increased operating, capital or regulatory costs; or destruction of shareholder value, consequent to an adverse or potentially criminal event even if the company is not found guilty. Adverse events typically associated with reputation risk include ethics, safety, security, sustainability, quality, and innovation. Reputational risk can be a matter of corporate trust.

Business continuity encompasses a loosely defined set of planning, preparatory and related activities which are intended to ensure that an organization's critical business functions will either continue to operate despite serious incidents or disasters that might otherwise have interrupted them, or will be recovered to an operational state within a reasonably short period. As such, business continuity includes three key elements: 1. Resilience: critical business functions and the supporting infrastructure are designed and engineered in such a way that they are materially unaffected by most disruptions, for example through the use of redundancy and spare capacity; 2. Recovery: arrangements are made to recover or restore critical and less critical business functions that fail for some reason. 3. Contingency: the organization establishes a generalized capability and readiness to cope effectively with whatever major incidents and disasters occur, including those that were not, and perhaps could not have been, foreseen. Contingency preparations constitute a last-resort response if resilience and recovery arrangements should prove inadequate in practice.

Every profession has tools fundamental to its trade, each of which needs to be reviewed and sharpened regularly to ensure they remain effective. The risk register, matrix and bow-tie are three such tools within risk management. This one-hour webinar will provide tips on how to optimise each of these critical risk tools and tailor them to your organisation.

At the heart of any effective risk process are two common qualities of strong team work and open communication. This, supported by strong action and solution orientation enable the Risk Management function to carry out its mandate effectively. Risk Champions are central to this, and used well, they become the glue that can hold risk activities together.

Risk sources are more often identified and located not only in infrastructural or technological assets and tangible variables, but in Human Factor variables, Mental States and Decision Making. The interaction between Human Factors and tangible aspects of risk, highlights the need to focus closely into Human Factor as one of the main drivers for Risk Management, a "Change Driver" that comes first of all from the need to know how humans perform in challenging environments and in face of risks

You already understand the process of risk management. The next step is to equip yourself to fully integrate business risk and opportunities for innovation into your organisation's corporate governance model.

ISO 31000 was published as a standard on the 13th of November 2009, and provides a standard on the implementation of risk management. A revised and harmonised ISO/IEC Guide 73 was published at the same time. The purpose of ISO 31000:2009 is to be applicable and adaptable for "any public, private or community enterprise, association, group or individual."[3] Accordingly, the general scope of ISO 31000 - as a family of risk management standards - is not developed for a particular industry group, management system or subject matter field in mind, rather to provide best practice structure and guidance to all operations concerned with risk management.

Join us to review the emerging risks for 2015 as executives facing an environment of unprecedented volatility: market conditions change rapidly and new risks continue to proliferate. To navigate the continually changing and complex risk environment,

Risk management is an increasingly important
business driver and stakeholders have become
much more concerned about risk. Risk may be a
driver of strategic decisions, it may be a cause of
uncertainty in the organisation or it may simply be
embedded in the activities of the organisation. An
enterprise-wide approach to risk management
enables an organisation to consider the potential
impact of all types of risks on all processes,
activities, stakeholders, products and services.
Implementing a comprehensive approach will
result in an organisation benefiting from what is
often referred to as the ‘upside of risk’.
The global financial crisis in 2008 demonstrated
the importance of adequate risk management.
Since that time, new risk management standards
have been published, including the international
standard, ISO 31000 ‘Risk management –
Principles and guidelines’. This guide draws
together these developments to provide a
structured approach to implementing enterprise
risk management (ERM)